Skip pausing of security-related plugins to avoid opening up an attac…

…k vector
wp-core-php · Jan 9, 2019 · 5d38162 · 5d38162
1 parent c433600
commit 5d38162
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/src/wp-includes/class-wp-paused-extensions-storage.php b/src/wp-includes/class-wp-paused-extensions-storage.php
@@ -63,6 +63,10 @@ public function add( $extension, $error ) {
 			return false;
 		}
 
+		if ( $this->is_security_related_extension( $extension ) ) {
+			return false;
+		}
+
 		if ( is_multisite() && is_site_meta_supported() ) {
 			// Do not update if the error is already stored.
 			if ( get_site_meta( get_current_blog_id(), $this->meta_prefix . $extension, true ) === $error ) {
@@ -186,6 +190,24 @@ public function get_all() {
 		return (array) get_option( $this->option_name, array() );
 	}
 
+	/**
+	 * Check whether the extension to be recorded is marked as being related to
+	 * security functionality.
+	 *
+	 * Deactivating such an extension might open up an attack vector, so we skip
+	 * these and prefer to let the site break instead.
+	 *
+	 * @param string $extension Extension to check.
+	 * @return bool Whether the extension is related to security.
+	 */
+	protected function is_security_related_extension( $extension ) {
+		$filtered_extensions = array(
+			'better-wp-security'
+		);
+
+		return in_array( $extension, $filtered_extensions, true );
+	}
+
 	/**
 	 * Gets the site meta query clause for querying sites with paused extensions.
 	 *